Post Upgrade 20.7 NTOPNG GeoIP Download Fails - Authentication Error

[mush2020]

After upgrading Opnsense to 20.7 ntopng geoip showing authentication error while trying to get geoip
Tried with new key still fails to download
 
/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
SSL certificate subject doesn't match host download.maxmind.com
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz download failed

Anything changed or anyone has direction to fix this?

[mush2020]

New error seen, could anyone assist.

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4667418046464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=MyKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-Country&license_key=MyKey&suffix=tar.gz download failed

[hushcoden]

This is from a post by marjohn56:

root@gateway:~ # cd /usr/local/opnsense/scripts/filter/lib

root@gateway:/usr/local/opnsense/scripts/filter/lib # python3

You will now be seeing the Python interpreter.

>>> from geoip import download_geolite
>>> download_geolite()

Wait a few seconds and if you have got the correct url and licence you should see something like this:

{'address_count': 433499, 'file_count': 499, 'timestamp': '2020-01-06T23:45:56', 'locations_filename': 'GeoLite2-Country-Locations-en.csv', 'address_sources': {'IPv4': 'GeoLite2-Country-Blocks-IPv4.csv', 'IPv6': 'GeoLite2-Country-Blocks-IPv6.csv'}}

Hit Ctrl-d to exit the Python interpreter.

[mush2020]

Thanks Husgcoden,
I could see this in shell
/usr/local/opnsense/scripts/filter/lib # python3
Python 3.7.8 (default, Jul 27 2020, 22:43:18)
[Clang 8.0.1 (tags/RELEASE_801/final 366581)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> from geoip import download_geolite
>>> download_geolite()
{'address_count': 0, 'file_count': 0, 'timestamp': None, 'locations_filename': N                  one, 'address_sources': {'IPv4': None, 'IPv6': None}}

I had chat with maxmind, first query was about TLS v and it should be TLS 1.3
Other assumption i have is that, even though i have my license key valid and i could download GeoIP database locally through same URL that is in ntopng-geoip2update.sh. But due to some issue related to certificate or TLS maxmind does not authenticate at first step, subsequently DB download would never happen.

Maxmind asked me to reach either opnsense or ntop to reslove this issue and there is nothing more to be done from their side.
Its all started after upgrade to 20.7

[hushcoden]

It's working for me, also after the upgrade to 20.7

But, my download link is slightly different than yours: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=MyKEY&suffix=zip

[mush2020]

Hi,
The link you have used is it for GeoIP or ntopng script
I'm getting error for ntopng script where tar.gz is used to download DB
While for GeoIP blocking zip is used in FW Aliases => GeoIP Setting => URL (this too has issue i think as last updated it shows as 2020-07-28T16:43:02)

I have even used link similar to yours but same error- Authentication